The strategy provides federal agencies with new guidance for how to protect themselves and the private data of Americans, said White House National Security Adviser John Bolton.

The policy change was needed “not because we want more offensive operations in cyber space but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear,” Bolton said.

The new policy also outlines a series of broad priorities, including the need to develop global Internet policies and a competent domestic cybersecurity workforce.

Part of the new policy focuses on security the critical infrastructure. The new policy reads:
“The responsibility to secure the Nation’s critical infrastructure and manage its cybersecurity risk is shared by the private sector and the Federal Government. In partnership with the private sector, we will collectively use a risk-management approach to mitigating vulnerabilities to raise the base level of cybersecurity across critical infra- structure. We will simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure. We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy.”

Some priority actions the new policy is looking to take on include:

Refining roles and responsibilities: The Administration will clarify the roles and responsibilities of Federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response. Clarity will enable proactive risk management that comprehensively addresses threats, vulnerabilities, and consequences. It will also identify and bridge existing gaps in responsibilities and coordination among Federal and non-Federal incident response efforts and promote more routine training, exercises, and coordination.

Prioritize actions according to identified national risks: The Federal Government will work with the private sector to manage risks to critical infrastructure at the greatest risk. The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas: National security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.

Dave Weinstein, cybersecurity fellow at New America, formerly served in Cyber Command and as a public sector CTO/CISO, and is now vice president of threat research at network monitoring security provider, Claroty, said with the new policy there is not really much new.

“Most government strategy documents tend to be underwhelming and this one is no different. This isn’t a whole lot of new content or ideas, but rather amplification, clarification, and renewal of previous ones.

“The paragraph that stands out to me is the one on the Cyber Deterrence Initiative. Until now we haven’t formally adopted an international approach to deterrence, which includes collaborating on incident response and attribution. This Initiative has enormous potential to be successful if the right nations formally participate and equally contribute to its cause. I would expect to see the Five Eyes join in but it should extend even further, beginning with NATO member-states.

“Another one that stands out to me and is much overdue is modernizing of surveillance and computer crime laws. The Computer Fraud and Abuse Act (CFAA) in particular is in desperate need of a refresh.

“On critical infrastructure, it’s encouraging to see it featured so prominently in the Strategy but the substance is a bit lacking. More creativity is needed for government to maximize its contributions to what is largely a private sector problem. Some of the best ways for government to “secure critical infrastructure” is to incentive investment in technology, people, and training; share actionable threat intelligence; and deter activities that hold infrastructure assets (and the citizens they serve) at risk. Again, some of these are mentioned but not in great detail.

“Would’ve like to see a bit more emphasis on state and local cybersecurity and a key component of the national strategy.

“They punted on encryption – would’ve like to see them take a strong stance on encryption while committing to foster a dialogue between the public and private sector recognizing the real concerns of law enforcement and the national security establishment.

“I was struck by the explicit mention of transportation and maritime cybersecurity – would’ve thought energy and maybe even advanced manufacturing would have received similar attention (especially given the Administration’s domestic policy priorities).